ICS Security Summit Solutions Track 2022

  • Friday, 03 Jun 2022 10:00AM EDT (03 Jun 2022 14:00 UTC)
  • Speaker: Dean Parsons

Adversaries targeting Industrial Control Systems (ICS) and Operational Technology (OT) environments have demonstrated an understanding of control systems with a skilled ability to develop ICS-capable attack tools to gain access and cause negative effects through cyber-kinetic attacks. As ICS security managers and practitioners, we know ICS attacks can change physical conditions or render unexpected or dangerous output. Consider a cyber-compromised active safety instrumented system (SIS) that fails to monitor and safely shut down a gas pipeline operation or refinery process in an over-pressurized condition. As well, we must not ignore several types of traditional IT attacks that could directly or indirectly impact the ICS.
ICS-specifically trained human defenders are an absolute requirement for critical infrastructure cyber protection. Human defenders leveraging ICS security technologies to help streamline defense in the control system environment will continue to be the way forward in maintaining the safety and reliability of operations as we navigate the evolving ICS attack landscape. Tactically speaking, control system network and OT system visibility is key for threat detection and proactive defense, that enables threat-informed decisions about operations by engineering teams and facility owners / operators.

The focus of the event is on how "ICS Defense is Doable!" across:
·Distributed control systems (DCS)
·Supervisory control and data acquisition (SCADA)
·Industrial control systems (ICS)
·Other OT control system types used to monitor events, processes, and devices in the sector

Specifically, how OT/ICS security, engineering and management teams meet today's ICS/OT security challenges in defending the oil & gas sector across up, mid, and down-stream operations moving forward. Presentations will have a focus on thought leadership with use-case examples relevant for actions facilities can take and apply to suit their safety and industrial cyber protection goals.

Join the SANS Summit Workspace for this event! https://sansurl.com/ics-summit-slack

>>>>Download a copy of the presentations here!




Agenda | June 3, 2022 | 10:00 AM - 5:30 PM EDT



7:15 AM

Check-In Opens (and goes ALL DAY)


Get checked in for the action-packed full day ahead and grab a bite to eat during our morning networking event and free breakfast!

FREE Breakfast!

10:00 AM

Welcome & Opening Remarks
Dean Parsons, SANS Instructor & Subject Matter Expert

10:15 AM

30 ICS Ransomware Outages - Why Criticality Boundaries Matter

This presentation looks at 30 ransomware incidents that caused industrial production outages in 2020 and 2021 and looks at what conclusions we can draw from the incidents. Ransomware tools and techniques trail nation-states by only a few years. Cloud-seeded ransomware is coming. There are only 3 ways that ransomware can impact physical operations. All three ways have to do with the difference between control-critical and business-critical networks. Experts from all over the ICS/OT security space are weighing in as to the right way to manage criticality boundaries.

Andrew Ginter, VP Industrial Security, Waterfall Security Solutions

10:50 AM

First of its Kind – How SIBERprotect Responds at Machine Speed to Protect Industrial Control Systems

SIBERprotect is a one-of-a-kind, patent pending, cyber-physical response solution to protect against OT cyberthreats. SIBERprotect enables sub-second active responses like network quarantine, emergency equipment activation, setpoint forcing and more – all tailored to the status of the OT system. Since not every threat, nor response is the same, SIBERprotect is customizable to fit nearly every industrial operation. In this session you will learn how SIBERprotect utilizes the latest threat detection, automation, and controls technology to help OT systems become harder to hack and quicker to recover. Because cyberattacks act at machine speed – SIBERprotect responds at machine speed.

Chuck Tommey, GICSP, CEH, P.E. Digital Connectivity Executive, Siemens Digital Industries

11:25 AM

Moving Target Defense and Industrial Control Systems

Through over 20 publications and updates, standards in the United States have changed to call for using moving target defense in everything from baseline to critical settings. What does that look like in an operational technology network, and what processes work to drive the shift within institutions where people struggle to agree on the color of an orange? We'll cover four topics: remote access, OT DMZ unification, data streaming, and data transfer.

Ian Schmertzler, President, Dispel

12:00 PM 
Networking Reception

Converse with fellow cybersecurity attendees over a delicious lunch including assorted carving stations and sweet treats!

FREE Lunch!

1:00 PM

Network Access Policy Hardening for OT

As shown through multiple high-profile cybersecurity attacks, organizations have to shut down operation when their mission-critical assets are breached. Traditional IT solutions are often too complex or incompatible with the requirements of OT environments. As the thread landscape heightens, organizations have to adopt and implement a risk-based security program in which continuous verification of network access policy plays a crucial role. This presentation will introduce the three foundations of a robust cyber resiliency program and provide practical recommendations to reduce OT network exposure.

Robin Berthier, CEO and Co-Founder Network Perception

1:35 PM

Proposed Proactive Tasks for Improved ICS/OT Cybersecurity
In February and March of 2022, we surveyed over 900 ICS businesses which revealed significant shortfalls in organization’s approach to handling cyber security events. Cyber-attacks have affected manufacturing and energy supply and some ICS tends indicate a respond to cyber threats on case-by-case basis, instead of perhaps planned and formally executed. To avoid loss of productivity, defend against common initial intrusion vectors, it is important to have an approach that enables the detection of threats early and drives quick recovery actions. This session will explore the capabilities needed to minimize damage, with the status of incidents based on Trend Micro’s recent survey results, and the keys to countermeasures as seen from real-world case studies.

This session is sponsored by Trend Micro. Trend Micro's use of your personal information will be governed by their privacy policy.


William J. Malik, Vice President, Infrastructure Strategies, Trend Micro Incorporated
2:10 PM 

2:25 PM

Product Security Meets Detection and Response

What is product security? In connected equipment and products, how do we detect new vulnerabilities? And how can we—as manufacturers or asset owners—respond to new threats? In this talk hosted by Finite State Lead Software Engineer Jason Ortiz, we will examine why attackers love the huge attack surface presented by OT/IoT and the key challenges facing connected device manufacturers and asset owners. In this session, Jason will also explore the business impacts of product security and how product security is quickly becoming the biggest gap in many cybersecurity strategies.

Jason Ortiz, Lead Engineer, Finite State

3:00 PM 
Real World Examples: Detecting Threats from Industrial Process Data

Industrial process data and insights on normal baseline behavior reveal a lot about malware and network intrusions. In addition to combatting cybersecurity threats, the combination of data and process knowledge can head off problems like predictive maintenance and other opportunities to improve process efficiency. 

 In this presentation we look at anomaly detection techniques in a few cyber physical processes and how they can be used to detect 1) replay attacks 2) instrument failures 3) misconfigurations, etc. – all using real world, previous attack examples.

Sandeep Lota, Field CTO, Nozomi Networks

3:35 PM

Afternoon Break

Refreshments and Snacks Served

3:50 PM

Threat Story: Conti Ransomware and ICS

Ransomware attacks are a growing, and genuine threat to critical infrastructure. With indiscriminate and sophisticated attacks, the challenge of cyber security has gone beyond one that scalable by humans alone. In this session, Darktrace will demonstrate how its Self-Learning AI identifies resident and novel threats, as well as detects and responds to fast-moving attacks such as ransomware - regardless of the target. We’ll show how Self-Learning AI augments network visibility and anomaly detection to reduce time to meaning and protect OT and cyber physical systems from ransomware, sophisticated attacks, and other unusual causes of unexpected downtime. In particular, we’ll focus on how Darktrace detected and helped mitigate a Conti Ransomware attack that rapidly spread across both IT and OT, before damage was done.

Dr. Oakley Cox, Analyst Technical Director, Darktrace

4:25 PM

Understanding and Defending Against PIPEDREAM, the seventh-known Industrial Control Systems (ICS)-specific malware

PIPEDREAM is the seventh-known Industrial Control Systems (ICS)-specific malware and the fifth malware specifically developed to disrupt industrial processes. It represents a clear and present threat to the availability, control, and safety of industrial control systems and processes. In this presentation, Dragos will share what we've discovered about PIPEDREAM and Chernovite, the threat group responsible for developing this malware. We will present key findings, an overview of impacted technology, as well as potential malware deployment scenarios. Finally, we will share practical guidance and examples that asset owners can employ to defend their most critical systems against not only Chernovite, but other adversaries intent on disrupting industrial control systems.

Sam Wilson, Product Manager, Dragos

5:00 PM 
How to Eat an Elephant – Strategies for Dealing with Vulnerability Overload

Heterogenous networks, outdated operating systems, patching limitations; there is no shortage of challenges when addressing vulnerabilities in OT/ICS security. But not all vulnerabilities are equal. How do you take on this never-ending challenge and “eat the elephant” by identifying, mitigating, or remediating vulnerabilities in your systems and networks? This session will address the strategies needed to decrease vulnerabilities and your attack surface.

Matt Sexton, Director, PAS Business Development, PAS 

5:35 PM

Dean Parsons, SANS Instructor & Subject Matter Expert